SSL certificates explained: What SSL is, how it works and why you should use it as well

“We want internet to be safer!” think lots of people all over the world.

And experts are working on just this day and night. However, results of their hard work are often so difficult to understand that only security experts themselves know what has been accomplished.

This is the case with SSL certificates. While IT experts know what SSL is, how it helps with securing the internet and all that jazz, most people have only partial – and often wrong – information. And although news outlets try, they only succeed in passing on very basic information – like “check if your browser says HTTPS and look for a lock icon, then you’re safe” kind of thing.

But there’s more to it than that.

Because SSL certificates are a complex and powerful system that makes the internet safer.

Many people think the following equation is true: HTTPS means safe browsing. But what does it actually mean?

In short: How does SSL work?

To understand how SSL works, you first need to know the basics of internet communication.

When any connection over the internet is established – like when browsing web or sending an email – a lot of information has to travel over the network. It is sent both by a client (e.g. an internet browser) and a server (e.g. the one that hosts the website we want to visit). And by information we mean practically all the content that can be seen on the website as well as the things that we do while we’re there.

However, there are many network elements in the way between the two main actors of this dialog, and so the connection needs to be secured. Otherwise, anyone could “listen in” on the “conversation”, or even step in and pretend to be one of the actual communication partners.

This could have very negative consequences – from stolen passwords for email services or bank accounts to things like state or industry espionage. That’s why it’s important to secure the connection and the data it transfers.

And that’s exactly what protocols called SSLdo.

What should we call it – SSL or TLS?

Even though the acronym SSL is usually used as a general term meaning cryptographic protocols for securing the internet communication, the SSL (or Secure Sockets Layer) was originally a name of one specific protocol. It has since been supplanted in most cases by a newer TLS (or Transport Layer Security) protocol. Still, the acronym SSL is often used as a general term for crypto-protocols. Old habits and all that.

The SSL protocols have two purposes. First, they take care of identification. Thanks to SSL, both the client and the server know, that they’re talking over the network to each other and not just to someone who is impersonating them.

Second, they take care of encrypting the communication. They allow both sided to agree on an encryption algorithm, to securely swap keys and to create a common secret they then use for encryption.

It’s easy to tell that a protocol from the SSL family is being used – the address bar of a browser shows the acronym HTTPS (meaning Hypertext Transfer Protocol Secure, or HTTP over SSL) instead of the usual HTTP. But this doesn’t mean that the browsing is safe – that’s something the protocol can’t guarantee – it just means that the communication is encrypted and as such is more resistant to being intercepted.

Certificates are a key factor of secure communication

That’s the SSL protocols sorted then, but what about those certificates? What role do they play?

An important one, to be sure – without certificates, the protocols wouldn’t work.

Thanks to the certificates, client and server can trust each other, regardless of whether they had any contact in the past or not.

It works a bit like having a common friend with someone. Do you need help fixing your car, but you don’t know any decent mechanic? Maybe your best friend does. And because he’s a good friend, he will introduce you to the mechanic and help you with exchanging phone numbers. In a way, your friend is vouching for both of you – that the mechanic is a good one and that you won’t shy away from paying for the repair.

Another example could be a university diploma. The university has given you a certificate about passing all the requirements and understanding your field of study. When looking for work as a nuclear physicist, your future employer doesn’t need to quiz you on everything about atom. They trust your university and both its judgement and certificate, so they can trust you and your knowledge.

It’s very similar with SSL certificates. The role of a good friend or a reputed university is played by so-called root certification authorities. Those are companies trusted by a large number of participants in the internet traffic. Their duty is to check servers and give out certificates to server owners.

Every computer gets a list of some of these certification authorities when its OS is first installed. Thanks to this list, it’s able to communicate with a vast amount of legitimate servers, because the computer can just check whether the server is trusted by one of the authorities.

Certificates contain many security features against forgery, so every participant in the communication over the internet should be able to automatically check whether the certificate is real.

Apart from all this, they contain information about the server they belong to – this allows you to check whether you’re actually transmitting data to the server of the domain that owns the certificate. They also contain dates signifying when the certificate has been created and when will it expire – because certificates need to be regularly restored. And last but not least, they contain a public key of its owner, which allows the encrypted communication to work.

Public and private keys

A public key is one of a pair of keys used in encrypted communication. This one is used for encrypting the message, but it can't decrypt it back again. Because it is publicly available, anyone can send you an encrypted message, but can’t use it to read any of your messages that you don’t want them to read. Decrypting messages can only be done by your private key that you never share with anyone. The method using two keys for encrypting and decrypting communication is calledasymmetric cryptography.

Securing the internet should be everyone’s business

Why should a server owner get a SSL certificate, then?

The reasons for it are pretty clear.

When you’re operating a website that in any way processes sensitive data, you should try to keep them safe and secure while they are travelling through the network between your client and your server. The communication needs to be encrypted and SSL protocols – and by extension SSL certificates – take care of that. Sensitive personal information can mean even just a username and a password used for website login. Czech laws put the onus on the actor processing the information to make sure it can’t be misused (though the mileage can vary in different countries). So if you use your website for accepting product orders from your clients that include their delivery address, for example, you must secure the transfer of this information.

Even if you’re not processing sensitive data and your server only hosts your cooking blog or a company website, you should still consider getting a SSL certificate. Internet security is very strongly pushed forward by big corporations like Microsoft and Google these days. Both these companies (and many others) have already stated that getting communication secured through SSL is very important for them. Google even claimed that from this year forward, whether or not the server uses SSL will be considered as a factor in deciding the search engine result page position of websites. Your successfull cooking blog or a company website could easily fall down from the first page of Google results all the way back to twentieth page or worse. No readers or customers will find you – or rather, even look for you – there.

Moreover, when a website uses SSL certificates – especially the so-called extended validation certificates – it’s more trusted by its users than an unsecured site. People are more willing to do business with you and share their personal information when they know that you’ll treat it with care.

So everything about certificates is rosy? Well, yes and no

The principle behind SSL certificates is sometimes criticized, mainly because of the high prices some certificate authorities demand. Although certificates used to be quite expensive in the past, they can be had quite cheaply these days and from trustworthy authorities to boot. And apart from that there are also solutions that use completely free certificates like Let’s Encrypt.

Another criticized part of the whole certification process is that sometimes, certificates are issued to wrong subjects. Recently, this has even happened to a rather big player in the internet space. Google found out that one particular French government agency was using a certificate to pretend it was the US giant, just so it could spy on its own employees. But scams like these are usually very quickly found out and the certificates in question invalidated. That’s why there’s also a protocol for checking revocation – before using a certificate, a browser sends a query to the certificate authority to check if it is still valid.

And you may have read about attacks that can leverage some weak spots in SSL protocols. The truth is that every working security feature always attracts people who try to break through it. Every good safe is taunting safecrackers to try and beat it. So does the SSL. There are many hackers out there trying to find a hole in the protocols and certificates. And they are sometimes successful, like with the infamous Heartbleed bug or the quite recently discovered Drown attack. However, these security holes are very quickly plugged and the protocols are always developing to prevent such misuse in the future.

Some of these attacks – like the mentioned Drown – use bugs that were present in old versions of these protocols that servers today shouldn’t even use. So if you are taking good care of your servers – or you’re entrusting them to someone else who takes good care of them for you – the chance you’ll be attacked is minimal. And your security will improve all around. If you’re still not doing so, you should definitely start using SSL certificates now.